Re: [Spud] Extensibility considered harmful? was Re: [Privsec-program] Detecting and Defeating TCP/IP Hypercookie Attacks

Kyle Rose <krose@krose.org> Wed, 10 August 2016 12:41 UTC

Return-Path: <krose@krose.org>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AD3612B076 for <spud@ietfa.amsl.com>; Wed, 10 Aug 2016 05:41:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pk3r3YPA7jvL for <spud@ietfa.amsl.com>; Wed, 10 Aug 2016 05:41:36 -0700 (PDT)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDE3212D0FF for <spud@ietf.org>; Wed, 10 Aug 2016 05:41:35 -0700 (PDT)
Received: by mail-qt0-x230.google.com with SMTP id 52so19915788qtq.3 for <spud@ietf.org>; Wed, 10 Aug 2016 05:41:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xT9h+OQhi5q6C/D2iChWaQKZ2/+xezJex5oVTN+tlz8=; b=pHV6sk4CeNI1cC+Yfh+wB29LZIhWkKZ5etgBEhEHMeJ5SXZYu8qbGnH0J88R1MMZrG ZjFdgdKV7hTfitBrl0jINjp/kgBL5BDE3Xg+oTOXLzowYkM/JEBfihwHH2X9HBOYCOxv szQ80pdbcnVsgEWpytXRmLpMUeWxGD4rc2fn4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xT9h+OQhi5q6C/D2iChWaQKZ2/+xezJex5oVTN+tlz8=; b=OsUWirUubFT2ooNUGHacIKZh9+Ey30au1jWmL5G7DLrRIgZ7kU5BqR3ZIDw4JOWIio Cdmb3slAqMsDpdsBEE11U+ZOC8M8h2fb01NWdXEqx5OcpyRKgfZ/vwlwluxPyTGOhoyL TcbI9TkmVRLojtAgC8FdmFDXgLDO3Gx6/DrGJUY/7KiEi02j9YXrpaZDfX4Zu0Cfw06O hMXLwx+aoK5xFoLBCAVyBqVxZKn7YmpgK88D3NJejv20VHOYoUSJ+aC0kVEFxZIsiMLr keVNKBaQ7Z2LSG7d6hxp3i4HKZLpgmL+QfM5Rt3SOFGNTaQsnIaTbKZFDs3m/uaD92bt vFSQ==
X-Gm-Message-State: AEkoouvpOd5rlolw3O2Aaz5ytC3ZNkpqu7t/xALHv5MjJDjL/O/guoNo6MvcXJrPfbtEWQY0o31mz+puLyA0mg==
X-Received: by 10.237.45.135 with SMTP id i7mr4071432qtd.30.1470832894980; Wed, 10 Aug 2016 05:41:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.94.70 with HTTP; Wed, 10 Aug 2016 05:41:33 -0700 (PDT)
X-Originating-IP: [2001:470:1f07:121:a85a:f18f:f2c0:e72d]
In-Reply-To: <fd9d6567-6dbc-3044-7fb2-acaa560de401@cs.tcd.ie>
References: <409B6F52-B637-4333-915B-A8127C80C98B@trammell.ch> <402A30BB-1A20-4D54-95CA-7C50D8C0F26B@tik.ee.ethz.ch> <dc29fa73-88fd-3dc4-7497-f1bd2fa60422@cs.tcd.ie> <8722FE8E-1026-43D5-BE17-1D6B4031C0D8@tik.ee.ethz.ch> <1b261e1e-a543-53df-8a2a-7dddae415a14@cs.tcd.ie> <D2CEDF13-E508-4732-B8F6-98FBBDDC7EE6@tik.ee.ethz.ch> <f5c06c8a-5bef-86f6-5c62-302e7f6f75bf@cs.tcd.ie> <B58C7986-4B91-41FB-A6B6-F8E7BD25E799@tik.ee.ethz.ch> <6a61c305-c1f6-d14d-d0c4-d9809cfb5f78@cs.tcd.ie> <F7541B2E-86C2-49C6-B616-BDCC567CDAFC@lurchi.franken.de> <92b31df8-f557-a935-a3d8-1f7bf7ee8689@cs.tcd.ie> <E9B17055-DB61-41C6-9D9F-7510E9EC1ADE@lurchi.franken.de> <45d1e4f8-43fd-181f-b902-73f129e8518b@cs.tcd.ie> <B018BDCD-64EF-4F86-9B0B-FA73EA63A5C9@trammell.ch> <b4a87191-0bb9-7c3a-9717-68ae6ef33406@cs.tcd.ie> <CA+9kkMB+j=My1i2Ygyz1VaO+ZjgtPr-SjoEKhcdve8gw-vq0Jw@mail.gmail.com> <5113d019-2405-fba0-0868-04a05ccce3f1@cs.tcd.ie> <CAJU8_nWgdFNAKwegm9yXKcFB3BTkGeEQBPm3H4bY8JrWtTyXrQ@mail.gmail.com> <fd9d6567-6dbc-3044-7fb2-acaa560de401@cs.tcd.ie>
From: Kyle Rose <krose@krose.org>
Date: Wed, 10 Aug 2016 08:41:33 -0400
Message-ID: <CAJU8_nWVi3g7PG00imGb4oG2JJ33UkJZds3CLDUDr0jucChokQ@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary=94eb2c069e183acbbb0539b6f802
Archived-At: <https://mailarchive.ietf.org/arch/msg/spud/86GsyP-DWSqwDcz5GInsgAlqgG8>
Cc: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>, Brian Trammell <ietf@trammell.ch>, Ted Hardie <ted.ietf@gmail.com>, =?UTF-8?Q?Mirja_K=C3=BChlewind?= <mirja.kuehlewind@tik.ee.ethz.ch>, spud <spud@ietf.org>
Subject: Re: [Spud] Extensibility considered harmful? was Re: [Privsec-program] Detecting and Defeating TCP/IP Hypercookie Attacks
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2016 12:41:40 -0000

On Sat, Aug 6, 2016 at 8:38 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>;
wrote:

>
> Hi Kyle,
>
> Again, sorry for the slow response. But we're likely evens on that:-)
>

And again for me. :-)


> > Perhaps ironically, this argument has basically re-convinced me that
> > privacy at the routing layers on the public internet is hopeless.
>
> FWIW, I never agree that privacy is hopeless.
>

I'll agree that "hopeless" is a bit hyperbolic, but the degree of
hopelessness depends on what the threat model is. For coercion of single
bits, I'm willing to stand by that phrasing.


> And even if it, in some sense, were, I firmly believe that we can
> choose to make the Internet worse wrt privacy or to not do that.
>
> So even if we cannot "solve" the "privacy problem," there is still
> an onus on us (as good engineers) to not make that worse and to define
> tooling that would allow folks to make things better should they later
> choose to deploy those tools. (That last has to be done quite
> selectively though, only after some tool looks like it might get at
> least some real traction, as otherwise we enter the realm of speculative
> research and not engineering.)
>

A necessary element to the approach you outline is having a coherent vision
for what we want a privacy-first internet to look like, and how we would
get there. I don't think an incremental approach based on RFC 6973 and
derivatives is going to achieve that because so far what I see is a blanket
prohibition on extensibility out of fear that some mechanism could be used
for nefarious purposes, when what protocol designers need is guidance on
what they *can* do.

The threat model in 7624 may be a good starting point for this, but the
prohibitions implied there need to be inverted into a set of design
guidelines that the IAB considers acceptable. I don't think the black box
approach to standards approval is the right one, but it feels like that's
where we are without explicit guidance.

Furthermore, during the transition phase between the internet of 2016 and
the internet of 2036, we can't hamstring all standards development because
not all the building blocks for the privacy-first internet are in place.
Users have needs, and if they aren't fulfilled by the IESG, users will
migrate to getting their standards elsewhere, and everyone will be worse
off from the resulting fragmentation. Our sweet spot is not standing
athwart all development, yelling "stop!": it's balancing individual user
needs and wider privacy concerns and standardizing something that will work
well enough that people use it, that don't materially worsen the existing
privacy problems, and that we can show will improve such things over time.
(Emphasis on "show".)

We don't have dictatorial control over the internet, but a lot of these
discussions seem to implicitly frame the problem that way. If we don't give
users what they want, we risk becoming irrelevant.

Concern about one bit seems not to fit with a balanced approach; worrying
about a generic key/value mechanism not under endpoint control probably
does. Where do we draw the line, and why?


> Also - I'm not sure what you mean by "routing layers" nor how that
> maps to the transport issues SPUD/PLUS is trying to address.
>

Sorry, by "routing layers" I mean essentially the metadata that must be
made known to third-party network elements in order to direct packets to a
logical destination: DNS requests and the destination address in a packet
are the most obvious of these, but it also includes things like SNI for
certain layer 3 routers and load balancers.

I think we would both (all?) agree that today there is too much public
metadata, and that metadata is not narrowly directed at only those network
devices that actually need it. I would argue we need to start scoping out
possible reductions in this envelope, both in a v6 internet and in an ideal
world with the protocols we really want. We can then express balanced
guidance on privacy protections for the internet we have, allowing
standards development to continue for users' real-world needs, while also
moving forward in the research/experimental direction toward the internet
we want.

Constraining standards development in the internet we have based on what's
possible in the internet we want, but haven't scoped or defined, and that
we might get at some undetermined point in the future, is not acting in the
interests of users.


> In that and many cases though the other endpoint would not (in general)
> know of the silly addressing scheme. If we standardise such, then all
> endpoints know of the silliness and the situation is worse.
>

Understood, but the even/odd address thing is something any ISP or
government can unilaterally implement and enforce for all of its own users:
it requires no further standards work. At least with IPv6, I'd argue the
only unilateral mitigation for this kind of concern is to shut off the
network. So including this in the threat model as anything other than
"accepted risk" effectively shuts down all discussion of protocol
extensibility.


> I'm also not sure that coercion is the right term for this part of the
> problem. At least as I envisage things, if a middlebox can ever add a
> standardised extensible value to the flow, then we are likely to run
> into these issues.


I read your initial objection as 'the ISP can make the user add this
information, or a blank space for fill-in by path elements, to its PLUS
header before signing'. Coercing users into adding either the information
itself or a blank space for the information (such that modifications to
that value are allowed by recipient stacks, even in the presence of a MAC
for the keys and all the other values) seems like the general threat here.

For each specific threat, the two relevant follow-up questions seem to be:

(1) How does this extension make privacy more difficult to achieve than it
is today?
(2) How does this extension make privacy more difficult to achieve than it
would otherwise be under this new internet we'll have deployed X years from
now, and is the objection relevant if the protocol stack will look entirely
different?

I am using a comparative ("more difficult") rather than an absolute (e.g.,
"unachievable") because there are other, heavier-weight approaches like TOR
that can give us a lot of what we want on top of the public internet of
today.

It's very unclear to me that SPUD/PLUS can work and
> not allow such addition whilst also not introducing new round-trips.
> But we'll need to wait and see what the PLUS proponents actually
> propose before we can really analyse that.
>

I think the burden is on both sides of the argument: the PLUS proponents
need to demonstrate a need and a protocol that narrowly achieves that need,
and privacy advocates need to come to some public agreement on what degree
of extensibility is okay, and formalize that so protocol designers aren't
shooting arrows in the dark or at a moving target.

Kyle